Security researchers show how an attacker can access Nissan Leaf electric car by exploiting vulnerability in APIs
By using the Application Program Interface or the list of protocols to be kept in mind while building a new software, by the car manufacturing giant Nissan, some security researchers have detected vulnerabilities in the mobile management APIs for the Nissan Leaf electric car.
These APIs allow any person with the knowledge of the VIN of a car to get access to features like climate regulation and battery charge management from anywhere across the World Wide Web. And VINs are something that is clearly visible to the entire world through the gar’s windshield.
Attackers can access the Nissan Leaf via insecure APIs
One of the security researchers wrote in his blog post articulating that his main concern was with the “telematics system in the car” that is leaking the “historical driving data”.
He continues to write that:
“That’s the details of every trip I’ve ever made in the car, including when I made it, how far I drove and even how efficiently I drove. This could easily be used to build up a profile of my driving habits, considering it goes back almost 2 years and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy.”
Using an embedded video, the two researchers, Scott Helme and Troy Hunt, described that the discovery was made by another person who attended a workshop along with them. And After his discovery, Hunt demonstrated that he was able to access Helme’s Nissan Leaf, sitting in England, ten thousand miles away from Australia.
The person who worked with them in the workshop went back to his hotel room the day he discovered that such access was possible and proxied his iPhone via the computer since the APIs that are used to access the Nissan Leaf cars work on both Android and iOS platforms.
While Hunt maintained that this would not necessarily turn out to be a life-threatening situation, hackers could, however, use this NissanConnect app to gain control over some features of Nissan’s electric car and mess around with some features.
Nissan acknowledged the fact that they were aware of such an issue and also mentioned that it doesn’t have any effect on the car’s safety, perhaps to stop customers from panicking. They said that they were looking into the issue and were ensuring to deliver “the best possible experience” for their customers.